Abhishek Bhatia:
Are we expected to know falco rules format? i am going through mock exam 1, q.6
#Add the updated rule under the /etc/falco/falco_rules.local.yaml and hot reload the Fal
co service on node01:
- rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories
condition: >
bin_dir and evt.dir = < and open_write
and not package_mgmt_procs
and not exe_running_docker_save
and not python_running_get_pip
and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities
output: >
File below a known binary directory opened for writing (user=%user.name file_updated
=%fd.name command=%proc.cmdline)
priority: CRITICAL
tags: [filesystem, mitre_persistence]
Would i have to learn how to write the rules?